Unless otherwise noted, we have not used or evaluated evaluated these tools. As per usual with open source tools, be sure to evaluate tools before adopting them to ensure they are worthy of your trust.
→ CIT Cloud Team has used the tool.
- https://github.com/sa7mon/S3Scanner
- https://github.com/stelligent/cfn_nag
- https://github.com/duo-labs/cloudtracker
- https://github.com/airbnb/streamalert
- https://github.com/dxa4481/truffleHog
IAM-Specific Tools
- aws-rotate-key - Easily rotate your AWS access key
Tools that Help Secure AWS Resources
- General
- asecure.cloud – Creates customized CloudFormation/Terraform templates to improve security of existing AWS resources, or deploy secured resources.
- RhinoSecurityLabs/pacu – The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
- Netflix/security_monkey – Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
- CloudFormation
- cfripper – Library and CLI tool for analyzing CloudFormation templates and check them for security compliance
- Keys and Secrets
- exec-with-secrets – Handle secrets in Docker using AWS KMS, SSM parameter store, Secrets Manager, or Azure Key Vault
Training and Tutorials
- AWS Security Workshops – A collection of the latest AWS Security workshops from AWS
- Serverless Security Workshop – In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora. From AWS
- flAWS 2 Challenge – Teaches you AWS (Amazon Web Services) security concepts. The challenges are focused on AWS specific issues, so no buffer overflows, XSS, etc. Able to be attacker or defender for challenges.
Other Compilations of Security Resources
- puresec/awesome-serverless-security – A curated list of awesome serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.